From owner-freebsd-security  Thu Apr 19 13:37:59 2001
Delivered-To: freebsd-security@freebsd.org
Received: from homepage.ru (homepage.ru [195.242.9.13])
	by hub.freebsd.org (Postfix) with ESMTP id 135A837B43E
	for <security@FreeBSD.ORG>; Thu, 19 Apr 2001 13:37:54 -0700 (PDT)
	(envelope-from dk@homepage.ru)
Received: from homepage.ru (spb-3-28.dialup.peterlink.ru [195.242.18.28])
	by homepage.ru (8.9.3/8.9.3) with ESMTP id AAA67007
	for <security@FreeBSD.ORG>; Fri, 20 Apr 2001 00:39:27 +0400 (MSD)
	(envelope-from dk@homepage.ru)
Message-ID: <3ADF4DD0.17AB0F64@homepage.ru>
Date: Fri, 20 Apr 2001 00:42:56 +0400
From: "D. K." <dk@homepage.ru>
X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 4.2-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: security@FreeBSD.ORG
Subject: FreeBSD grow bug
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello All!

I played with format string in *printf functions
and have found bug in libc library on my FreeBSD 4.2-RELEASE
machine.

The bug is in the /usr/src/lib/libc/stdio/vfprintf.c source,
in function __grow_type_table, which is used by function
vfprintf. The first parameter of the memset function is 
incorrectly counted up. All *printf functions which use 
vfprintf have this error.

Test example:
===beg test.c===
#include <stdio.h>

int main(int argc, char *argv) {
    printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7);
    printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8);
    printf("no grow bug\n");
    return 0;
}
===end test.c===

Results:
# ./test
7
Segmentation fault (core dumped)

If you have seen the eight it means that your system
has no this bug.

The error appears when the parameter after % more than seven.

Quick patch:
===beg grow_patch===
--- vfprintf.c.old      Sat Aug 28 04:01:20 1999
+++ vfprintf.c  Thu Apr 19 22:16:19 2001
@@ -1191,7 +1191,7 @@
                    reallocf (typetable, sizeof (unsigned char) * newsize);
 
        }
-       memset (&typetable [*tablesize], T_UNUSED, (newsize - *tablesize));
+       memset (*typetable + *tablesize, T_UNUSED, (newsize - *tablesize));
 
        *tablesize = newsize;
 }
===end grow_patch===


Best Regards,
Dmitry Kopteloff
---
LG Soft Lab.
Information Security Group, RUSSIA

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message